Radius MAC filtering with EAP-PEAP

Ivan Kalik tnt at kalik.net
Wed Feb 27 12:58:45 CET 2008


1. Debug is a bit longer than that. You should post the whole thing.

2. This is not a mac authentication request.

3. That Calling-Station-Id is not going to get checked. Read instruction
in users file where do check items go.

Ivan Kalik
Kalik Informatika ISP


Dana 27/2/2008, "Era" <alexey.eronko at gmail.com> piše:

>Hi!
>
>Could you please assist me to find my fault. I have test user with laptop. I
>want to restrict access for this laptop. In users file I added wrong mac
>address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345
>credentials.
>
>:(
>
>Here is my AP request :
>
>rad_recv: Access-Request packet from host 10.10.10.139:6001, id=65,
>length=195
>        User-Name = "testuser"
>        NAS-IP-Address = 89.10.10.139
>        Called-Station-Id = "00-20-a6-64-66-a3:A"
>        Calling-Station-Id = "00-18-de-4e-8f-1d"
>        NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
>        State = 0x47e0330ad155ef064a62de62873e8690
>        Framed-MTU = 1400
>        NAS-Port = 2
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x020900261900170301001b139845f4c8e9bcb46
>
>Debug log:
>
>rlm_checkval: Item Name: Calling-Station-Id, Value: 00-18-de-4e-8f-1d
>rlm_checkval: Could not find attribute named Calling-Station-Id in check
>pairs
>  modcall[authorize]: module "checkval" returns notfound for request 8
>
>
>
>Here is my users file:
>
>testuser User-Password == "12345"
>         Calling-Station-Id = "00-18-de-4e-8f-11"
>
>Here is my checkval config:
>
>checkval {
>                # The attribute to look for in the request
>                item-name = Calling-Station-Id
>                # The attribute to look for in check items. Can be multi
>valued
>                check-name = Calling-Station-Id
>                # The data type. Can be
>                # string,integer,ipaddr,date,abinary,octets
>                data-type = string
>                # If set to yes and we dont find the item-name attribute in
>the
>                # request then we send back a reject
>                # DEFAULT is no
>                notfound-reject = yes
>        }
>
>Era
>
>-----Original Message-----
>From: freeradius-users-bounces+alexey.eronko=gmail.com at lists.freeradius.org
>[mailto:freeradius-users-bounces+alexey.eronko=gmail.com at lists.freeradius.or
>g] On Behalf Of Ivan Kalik
>Sent: Wednesday, February 27, 2008 12:33 PM
>To: FreeRadius users mailing list
>Subject: Re: Radius MAC filtering with EAP-PEAP
>
>>Could you please suggest me how can I check MAC filter(via Radius) and
>after
>>that do EAP-PEAP authorization?
>>
>
>Read your NAS documentation.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list